The OVAL Repository5.62015-09-03T08:38:59.037-04:00VMware product updates address critical Bash security vulnerabilitiesVMWare ESX Server 4.1VMWare ESX Server 4.0Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue.Prashant KumarDRAFTINTERIMACCEPTEDACCEPTEDVMware product updates address critical Bash security vulnerabilitiesVMWare ESX Server 4.1VMWare ESX Server 4.0GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.Prashant KumarDRAFTINTERIMACCEPTEDACCEPTEDVMware product updates address critical Bash security vulnerabilitiesVMWare ESX Server 4.1VMWare ESX Server 4.0The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue.Prashant KumarDRAFTINTERIMACCEPTEDACCEPTEDVMware product updates address critical Bash security vulnerabilitiesVMWare ESX Server 4.1VMWare ESX Server 4.0GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary commands via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271, CVE-2014-7169, and CVE-2014-6277.Prashant KumarDRAFTINTERIMACCEPTEDACCEPTEDVMware product updates address critical Bash security vulnerabilitiesVMWare ESX Server 4.1VMWare ESX Server 4.0GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.Prashant KumarDRAFTINTERIMACCEPTEDACCEPTEDVMware product updates address critical Bash security vulnerabilitiesVMWare ESX Server 4.1VMWare ESX Server 4.0GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.Prashant KumarDRAFTINTERIMACCEPTEDACCEPTEDVMware Workstation, Player, Fusion, ESXi, ESX and vCloud Director address several security issuesVMWare ESX Server 4.1VMWare ESX Server 4.0VMware ESXi 4.0 through 5.1 and ESX 4.0 and 4.1 allow remote attackers to cause a denial of service (NULL pointer dereference) by intercepting and modifying Network File Copy (NFC) traffic.Vinay NaikarDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX updates to third party librariesVMWare ESX Server 4.1The sctp_sf_do_5_2_4_dupcook function in net/sctp/sm_statefuns.c in the SCTP implementation in the Linux kernel before 3.8.5 does not properly handle associations during the processing of a duplicate COOKIE ECHO chunk, which allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via crafted SCTP traffic.Vinay NaikarDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX updates to third party librariesVMWare ESX Server 4.1The rds_ib_xmit function in net/rds/ib_send.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel 3.7.4 and earlier allows local users to cause a denial of service (BUG_ON and kernel panic) by establishing an RDS connection with the source IP address equal to the IPoIB interface's own IP address, as demonstrated by rds-ping.Vinay NaikarDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX updates to third party librariesVMWare ESX Server 4.1The (1) key_notify_sa_flush and (2) key_notify_policy_flush functions in net/key/af_key.c in the Linux kernel before 3.10 do not initialize certain structure members, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify interface of an IPSec key_socket.Vinay NaikarDRAFTINTERIMACCEPTEDACCEPTEDVMware Workstation, Player, Fusion, ESXi, ESX and vCloud Director address several security issuesVMWare ESX Server 4.1VMWare ESX Server 4.0VMware Workstation 9.x before 9.0.1, VMware Player 5.x before 5.0.1, VMware Fusion 5.x before 5.0.1, VMware ESXi 4.0 through 5.1, and VMware ESX 4.0 and 4.1 allow guest OS users to cause a denial of service (VMX process disruption) by using an invalid port.Vinay NaikarDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX updates to third party librariesVMWare ESX Server 4.1The HP Smart Array controller disk-array driver and Compaq SMART2 controller disk-array driver in the Linux kernel through 3.9.4 do not initialize certain data structures, which allows local users to obtain sensitive information from kernel memory via (1) a crafted IDAGETPCIINFO command for a /dev/ida device, related to the ida_locked_ioctl function in drivers/block/cpqarray.c or (2) a crafted CCISS_PASSTHRU32 command for a /dev/cciss device, related to the cciss_ioctl32_passthru function in drivers/block/cciss.c.Vinay NaikarDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX unauthorized file access through vCenter Server and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0VMware ESXi 4.0 through 5.5 and ESX 4.0 and 4.1 allow local users to read or modify arbitrary files by leveraging the Virtual Machine Power User or Resource Pool Administrator role for a vCenter Server Add Existing Disk action with a (1) -flat, (2) -rdm, or (3) -rdmp filename.Vinay NaikarDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX updates to third party librariesVMWare ESX Server 4.1Race condition in the IP implementation in the Linux kernel before 3.0 might allow remote attackers to cause a denial of service (slab corruption and system crash) by sending packets to an application that sets socket options during the handling of network traffic.Vinay NaikarDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX updates to third party librariesVMWare ESX Server 4.1The key_notify_policy_flush function in net/key/af_key.c in the Linux kernel before 3.9 does not initialize a certain structure member, which allows local users to obtain sensitive information from kernel heap memory by reading a broadcast message from the notify_policy interface of an IPSec key_socket.Vinay NaikarDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX updates to third party librariesVMWare ESX Server 4.1The ip6_sk_dst_check function in net/ipv6/ip6_output.c in the Linux kernel before 3.10 allows local users to cause a denial of service (system crash) by using an AF_INET6 socket for a connection to an IPv4 interface.Vinay NaikarDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX updates to third party librariesVMWare ESX Server 4.1A certain Red Hat patch for the Linux kernel 2.6.32 on Red Hat Enterprise Linux (RHEL) 6 allows local users to cause a denial of service (invalid free operation and system crash) or possibly gain privileges via a sendmsg system call with the IP_RETOPTS option, as demonstrated by hemlock.c. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-3552.Vinay NaikarDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX updates to third party librariesVMWare ESX Server 4.1The mmc_ioctl_cdrom_read_data function in drivers/cdrom/cdrom.c in the Linux kernel through 3.10 allows local users to obtain sensitive information from kernel memory via a read operation on a malfunctioning CD-ROM drive.Vinay NaikarDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX address an NFC Protocol Unhandled ExceptionVMWare ESX Server 4.1VMWare ESX Server 4.0VMware ESXi 4.0 through 5.1, and ESX 4.0 and 4.1, does not properly implement the Network File Copy (NFC) protocol, which allows man-in-the-middle attackers to cause a denial of service (unhandled exception and application crash) by modifying the client-server data stream.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere, ESX and ESXi updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The TLS protocol 1.1 and 1.2 and the DTLS protocol 1.0 and 1.2, as used in OpenSSL, OpenJDK, PolarSSL, and other products, do not properly consider timing side-channel attacks on a MAC check requirement during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere, ESX and ESXi updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The _gnutls_ciphertext2compressed function in lib/gnutls_cipher.c in GnuTLS 2.12.23 allows remote attackers to cause a denial of service (buffer over-read and crash) via a crafted padding length. NOTE: this might be due to an incorrect fix for CVE-2013-0169.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere security updates for the authentication service and third party librariesVMWare ESX Server 4.1The xsltGenerateIdFunction function in functions.c in libxslt 1.1.26 and earlier, as used in Google Chrome before 10.0.648.127 and other products, allows remote attackers to obtain potentially sensitive information about heap memory addresses via an XML document containing a call to the XSLT generate-id XPath function.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1The Server Gated Cryptography (SGC) implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly handle handshake restarts, which allows remote attackers to cause a denial of service (CPU consumption) via unspecified vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere security updates for the authentication service and third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0ISC BIND 9.x before 9.7.6-P3, 9.8.x before 9.8.3-P3, 9.9.x before 9.9.1-P3, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P3 allows remote attackers to cause a denial of service (assertion failure and named daemon exit) via a query for a long resource record.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The encode_share_access function in fs/nfs/nfs4xdr.c in the Linux kernel before 2.6.29 allows local users to cause a denial of service (BUG and system crash) by using the mknod system call with a pathname on an NFSv4 filesystem.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware security updates for vSphere API and ESX Service ConsoleVMWare ESX Server 4.1ISC BIND 9.x before 9.7.6-P1, 9.8.x before 9.8.3-P1, 9.9.x before 9.9.1-P1, and 9.4-ESV and 9.6-ESV before 9.6-ESV-R7-P1 does not properly handle resource records with a zero-length RDATA section, which allows remote DNS servers to cause a denial of service (daemon crash or data corruption) or obtain sensitive information from process memory via a crafted record.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The NFS implementation in Linux kernel before 2.6.31-rc6 calls certain functions without properly initializing certain data, which allows local users to cause a denial of service (NULL pointer dereference and O_DIRECT oops), as demonstrated using diotest4 from LTP.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The igmp_heard_query function in net/ipv4/igmp.c in the Linux kernel before 3.2.1 allows remote attackers to cause a denial of service (divide-by-zero error and panic) via IGMP packets.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1ssl/t1_lib.c in OpenSSL 0.9.8h through 0.9.8q and 1.0.0 through 1.0.0c allows remote attackers to cause a denial of service (crash), and possibly obtain sensitive information in applications that use OpenSSL, via a malformed ClientHello handshake message that triggers an out-of-bounds memory access, aka "OCSP stapling vulnerability."Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The proc filesystem implementation in the Linux kernel 2.6.37 and earlier does not restrict access to the /proc directory tree of a process after this process performs an exec of a setuid program, which allows local users to obtain sensitive information or cause a denial of service via open, lseek, read, and write system calls.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The IPv6 implementation in the Linux kernel before 3.1 does not generate Fragment Identification values separately for each destination, which makes it easier for remote attackers to cause a denial of service (disrupted networking) by predicting these values and sending crafted packets.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1VMWare ESX Server 4.0client/mount.cifs.c in mount.cifs in smbfs in Samba 3.0.22, 3.0.28a, 3.2.3, 3.3.2, 3.4.0, and 3.4.5 allows local users to mount a CIFS share on an arbitrary mountpoint, and gain privileges, via a symlink attack on the mountpoint directory file.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The asn1_d2i_read_bio function in crypto/asn1/a_d2i_fp.c in OpenSSL before 0.9.8v, 1.0.0 before 1.0.0i, and 1.0.1 before 1.0.1a does not properly interpret integer data, which allows remote attackers to conduct buffer overflow attacks, and cause a denial of service (memory corruption) or possibly have unspecified other impact, via crafted DER data, as demonstrated by an X.509 certificate or an RSA public key.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vCenter Server, ESXi and ESX address an NFC Protocol memory corruption and third party library security issues.VMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5VMware vCenter Server 4.0 before Update 4b, 5.0 before Update 2, and 5.1 before 5.1.0b; VMware ESXi 3.5 through 5.1; and VMware ESX 3.5 through 4.1 do not properly implement the Network File Copy (NFC) protocol, which allows man-in-the-middle attackers to execute arbitrary code or cause a denial of service (memory corruption) by modifying the client-server data stream.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The user_update function in security/keys/user_defined.c in the Linux kernel 2.6 allows local users to cause a denial of service (NULL pointer dereference and kernel oops) via vectors related to a user-defined key and "updating a negative key into a fully instantiated key."Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The dccp_rcv_state_process function in net/dccp/input.c in the Datagram Congestion Control Protocol (DCCP) implementation in the Linux kernel before 2.6.38 does not properly handle packets for a CLOSED endpoint, which allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by sending a DCCP-Close packet followed by a DCCP-Reset packet.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The sco_sock_getsockopt_old function in net/bluetooth/sco.c in the Linux kernel before 2.6.39 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via the SCO_CONNINFO option.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0Integer overflow in the vma_to_resize function in mm/mremap.c in the Linux kernel before 2.6.39 allows local users to cause a denial of service (BUG_ON and system crash) via a crafted mremap system call that expands a memory mapping.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX address several security issuesVMWare ESX Server 4.0VMWare ESX Server 4.1A certain Red Hat patch to the sctp_sock_migrate function in net/sctp/socket.c in the Linux kernel before 2.6.21, as used in Red Hat Enterprise Linux (RHEL) 5, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) via a crafted SCTP packet.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere, ESX and ESXi updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0OpenSSL before 0.9.8y, 1.0.0 before 1.0.0k, and 1.0.1 before 1.0.1d does not properly perform signature verification for OCSP responses, which allows remote OCSP servers to cause a denial of service (NULL pointer dereference and application crash) via an invalid key.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1Integer signedness error in the elf_get_dynamic_info function in elf/dynamic-link.h in ld.so in the GNU C Library (aka glibc or libc6) 2.0.1 through 2.11.1, when the --verify option is used, allows user-assisted remote attackers to execute arbitrary code via a crafted ELF program with a negative value for a certain d_tag structure member in the ELF header.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The cleanup_journal_tail function in the Journaling Block Device (JBD) functionality in the Linux kernel 2.6 allows local users to cause a denial of service (assertion error and kernel oops) via an ext3 or ext4 image with an "invalid log first block value."Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware hosted products and ESXi/ESX patches address privilege escalationVMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5VMware Workstation 8.x before 8.0.2, VMware Player 4.x before 4.0.2, VMware Fusion 4.x before 4.1.2, VMware ESXi 3.5 through 5.0, and VMware ESX 3.5 through 4.1 use an incorrect ACL for the VMware Tools folder, which allows guest OS users to gain guest OS privileges via unspecified vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware security updates for vSphere API and ESX Service ConsoleVMWare ESX Server 4.1Python before 2.6.8, 2.7.x before 2.7.3, 3.x before 3.1.5, and 3.2.x before 3.2.3 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1The svc_run function in the RPC implementation in glibc before 2.15 allows remote attackers to cause a denial of service (CPU consumption) via a large number of RPC connections.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The inet_diag_bc_audit function in net/ipv4/inet_diag.c in the Linux kernel before 2.6.39.3 does not properly audit INET_DIAG bytecode, which allows local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message, as demonstrated by an INET_DIAG_BC_JMP instruction with a zero yes value, a different vulnerability than CVE-2010-3880.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The qdisc_notify function in net/sched/sch_api.c in the Linux kernel before 2.6.35 does not prevent tc_fill_qdisc function calls referencing builtin (aka CQ_F_BUILTIN) Qdisc structures, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a crafted call.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.0VMWare ESX Server 4.1Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound and unspecified APIs.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware security updates for vSphere API and ESX Service ConsoleVMWare ESX Server 4.1The ASN.1 decoder in the QuickDER decoder in Mozilla Network Security Services (NSS) before 3.13.4, as used in Firefox 4.x through 12.0, Firefox ESR 10.x before 10.0.5, Thunderbird 5.0 through 12.0, Thunderbird ESR 10.x before 10.0.5, and SeaMonkey before 2.10, allows remote attackers to cause a denial of service (application crash) via a zero-length item, as demonstrated by (1) a zero-length basic constraint or (2) a zero-length field in an OCSP response.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0Double free vulnerability in the xfrm6_tunnel_rcv function in net/ipv6/xfrm6_tunnel.c in the Linux kernel before 2.6.22, when the xfrm6_tunnel module is enabled, allows remote attackers to cause a denial of service (panic) via crafted IPv6 packets.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1OpenSSL before 0.9.8s and 1.x before 1.0.0f, when RFC 3779 support is enabled, allows remote attackers to cause a denial of service (assertion failure) via an X.509 certificate containing certificate-extension data associated with (1) IP address blocks or (2) Autonomous System (AS) identifiers.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0Race condition in the ecryptfs_mount function in fs/ecryptfs/main.c in the eCryptfs subsystem in the Linux kernel before 3.1 allows local users to bypass intended file permissions via a mount.ecryptfs_private mount with a mismatched uid.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere security updates for the authentication service and third party librariesVMWare ESX Server 4.1libxml2 2.9.0-rc1 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly support a cast of an unspecified variable during handling of XSL transforms, which allows remote attackers to cause a denial of service or possibly have unknown other impact via a crafted document, related to the _xmlNs data structure in include/libxml/tree.h.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi and ESX address several security issuesVMWare ESX Server 4.0VMWare ESX Server 4.1Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data.Merryl DMelloDRAFTINTERIMChris CoffinACCEPTEDACCEPTEDVMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi and ESX address several security issuesVMWare ESX Server 4.0VMWare ESX Server 4.1Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.Merryl DMelloDRAFTINTERIMChris CoffinACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Unspecified vulnerability in the Java DB component in Oracle Java SE and Java for Business 6 Update 23, and, and earlier allows local users to affect confidentiality via unknown vectors related to Security, a similar vulnerability to CVE-2009-4269.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The do_task_stat function in fs/proc/array.c in the Linux kernel before 2.6.39-rc1 does not perform an expected uid check, which makes it easier for local users to defeat the ASLR protection mechanism by reading the start_code and end_code fields in the /proc/#####/stat file for a process executing a PIE binary.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Unspecified vulnerability in the Java Web Start component in Oracle Java SE and Java for Business 6 Update 21 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1VMWare ESX Server 4.0smbfs in Samba 3.5.8 and earlier attempts to use (1) mount.cifs to append to the /etc/mtab file and (2) umount.cifs to append to the /etc/mtab.tmp file without first checking whether resource limits would interfere, which allows local users to trigger corruption of the /etc/mtab file via a process with a small RLIMIT_FSIZE value, a related issue to CVE-2011-1089.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0libuser before 0.57 uses a cleartext password value of (1) !! or (2) x for new LDAP user accounts, which makes it easier for remote attackers to obtain access by specifying one of these values.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware hosted products and ESXi and ESX patches address security issuesVMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5VMware Workstation 8.x before 8.0.4, VMware Player 4.x before 4.0.4, VMware ESXi 3.5 through 5.0, and VMware ESX 3.5 through 4.1 allow remote attackers to cause a denial of service (guest OS crash) via crafted traffic from a remote virtual device.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The bnep_sock_ioctl function in net/bluetooth/bnep/sock.c in the Linux kernel before 2.6.39 does not ensure that a certain device field ends with a '\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory, or cause a denial of service (BUG and system crash), via a BNEPCONNADD command.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Unspecified vulnerability in the Deployment component in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0locale/programs/locale.c in locale in the GNU C Library (aka glibc or libc6) before 2.13 does not quote its output, which might allow local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script that uses the eval function.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1VMWare ESX Server 4.0The updatePosition function in lib/xmltok_impl.c in libexpat in Expat 2.0.1, as used in Python, PyXML, w3c-libwww, and other software, allows context-dependent attackers to cause a denial of service (application crash) via an XML document with crafted UTF-8 sequences that trigger a buffer over-read, a different vulnerability than CVE-2009-2625.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware hosted products and ESXi and ESX patches address security issuesVMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5VMware Workstation 7.x before 7.1.6 and 8.x before 8.0.4, VMware Player 3.x before 3.1.6 and 4.x before 4.0.4, VMware Fusion 4.x before 4.1.3, VMware ESXi 3.5 through 5.0, and VMware ESX 3.5 through 4.1 allow user-assisted remote attackers to execute arbitrary code on the host OS or cause a denial of service (memory corruption) on the host OS via a crafted Checkpoint file.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The headerLoad function in lib/header.c in RPM before 4.9.1.3 does not properly validate region tags, which allows user-assisted remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large region size in a package header.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1VMWare ESX Server 4.0client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier does not verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1VMWare ESX Server 4.0The Curl_input_negotiate function in http_negotiate.c in libcurl 7.10.6 through 7.21.6, as used in curl and other products, always performs credential delegation during GSSAPI authentication, which allows remote servers to impersonate clients via GSSAPI requests.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0OpenSSL before 0.9.8j, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the use of a disabled cipher via vectors involving sniffing network traffic to discover a session identifier, a different vulnerability than CVE-2010-4180.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The processcompl_compat function in drivers/usb/core/devio.c in Linux kernel 2.6.x through 2.6.32, and possibly other versions, does not clear the transfer buffer before returning to userspace when a USB command fails, which might make it easier for physically proximate attackers to obtain sensitive information (kernel memory).Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0Race condition in the sctp_icmp_proto_unreachable function in net/sctp/input.c in Linux kernel 2.6.11-rc2 through 2.6.33 allows remote attackers to cause a denial of service (panic) via an ICMP unreachable message to a socket that is already locked by a user, which causes the socket to be freed and triggers list corruption, related to the sctp_wait_for_connect function.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX address several security issuesVMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5VMware ESXi 3.5, 4.0, and 4.1 and ESX 3.5, 4.0, and 4.1 do not properly implement port-based I/O operations, which allows guest OS users to gain guest OS privileges by overwriting memory locations in a read-only memory block associated with the Virtual DOS Machine.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware security updates for vSphere API and ESX Service ConsoleVMWare ESX Server 4.1The resolver in ISC BIND 9 through 9.8.1-P1 overwrites cached server names and TTL values in NS records during the processing of a response to an A record query, which allows remote attackers to trigger continued resolvability of revoked domain names via a "ghost domain names" attack.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware security updates for vSphere API and ESX Service ConsoleVMWare ESX Server 4.1The list_directory function in Lib/SimpleHTTPServer.py in SimpleHTTPServer in Python before 2.5.6c1, 2.6.x before 2.6.7 rc2, and 2.7.x before 2.7.2 does not place a charset parameter in the Content-Type HTTP header, which makes it easier for remote attackers to conduct cross-site scripting (XSS) attacks against Internet Explorer 7 via UTF-7 encoding.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound and unspecified APIs.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The snd_hdspm_hwdep_ioctl function in sound/pci/rme9652/hdspm.c in the Linux kernel before 2.6.36-rc6 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSPM_IOCTL_GET_CONFIG_INFO ioctl call.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1VMWare ESX Server 4.0Multiple cross-site request forgery (CSRF) vulnerabilities in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allow remote attackers to hijack the authentication of administrators for requests that (1) shut down daemons, (2) start daemons, (3) add shares, (4) remove shares, (5) add printers, (6) remove printers, (7) add user accounts, or (8) remove user accounts, as demonstrated by certain start, stop, and restart parameters to the status program.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware Workstation, Player, ESXi and ESX patches address critical security issuesVMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5VMware Workstation 8.x before 8.0.3, VMware Player 4.x before 4.0.3, VMware Fusion 4.x before 4.1.2, VMware ESXi 3.5 through 5.0, and VMware ESX 3.5 through 4.1 do not properly register SCSI devices, which allows guest OS users to cause a denial of service (invalid write operation and VMX process crash) or possibly execute arbitrary code on the host OS by leveraging administrative privileges on the guest OS.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The setup_cifs_sb function in fs/cifs/connect.c in the Linux kernel before 2.6.39 does not properly handle DFS referrals, which allows remote CIFS servers to cause a denial of service (system crash) by placing a referral at the root of a share.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere security updates for the authentication service and third party librariesVMWare ESX Server 4.1libxslt 1.1.26 and earlier, as used in Google Chrome before 21.0.1180.89, does not properly manage memory, which might allow remote attackers to cause a denial of service (application crash) via a crafted XSLT expression that is not properly identified during XPath navigation, related to (1) the xsltCompileLocationPathPattern function in libxslt/pattern.c and (2) the xsltGenerateIdFunction function in libxslt/functions.c.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The Generic Receive Offload (GRO) implementation in the Linux kernel 2.6.18 on Red Hat Enterprise Linux 5 and 2.6.32 on Red Hat Enterprise Linux 6, as used in Red Hat Enterprise Virtualization (RHEV) Hypervisor and other products, allows remote attackers to cause a denial of service via crafted VLAN packets that are processed by the napi_reuse_skb function, leading to (1) a memory leak or (2) memory corruption, a different vulnerability than CVE-2011-1478.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere security updates for the authentication service and third party librariesVMWare ESX Server 4.1Multiple integer overflows in libxml2, as used in Google Chrome before 20.0.1132.43 and other products, on 64-bit Linux platforms allow remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The wait_for_unix_gc function in net/unix/garbage.c in the Linux kernel before 2.6.37-rc3-next-20101125 does not properly select times for garbage collection of inflight sockets, which allows local users to cause a denial of service (system hang) via crafted use of the socketpair and sendmsg system calls for SOCK_SEQPACKET sockets.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere security updates for the authentication service and third party librariesVMWare ESX Server 4.1The XSL implementation in Google Chrome before 20.0.1132.43 allows remote attackers to cause a denial of service (incorrect read operation) via unspecified vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The instruction emulation in Xen 3.0.3 allows local SMP guest users to cause a denial of service (host crash) by replacing the instruction that causes the VM to exit in one thread with a different instruction in a different thread.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware Workstation, Player, ESXi and ESX patches address critical security issuesVMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5The VMX process in VMware ESXi 3.5 through 4.1 and ESX 3.5 through 4.1 does not properly handle RPC commands, which allows guest OS users to cause a denial of service (memory overwrite and process crash) or possibly execute arbitrary code on the host OS via vectors involving data pointers.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0drivers/scsi/bfa/bfa_core.c in the Linux kernel before 2.6.35 does not initialize a certain port data structure, which allows local users to cause a denial of service (system crash) via read operations on an fc_host statistics file.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 10 through 6 Update 23 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The xfs_ioc_fsgetxattr function in fs/xfs/linux-2.6/xfs_ioctl.c in the Linux kernel before 2.6.36-rc4 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an ioctl call.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi and ESX address several security issuesVMWare ESX Server 4.1VMWare ESX Server 4.0The XPDM display driver in VMware ESXi 4.0, 4.1, and 5.0; VMware ESX 4.0 and 4.1; and VMware View before 4.6.1 allows guest OS users to gain guest OS privileges or cause a denial of service (NULL pointer dereference) via unspecified vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The get_name function in net/tipc/socket.c in the Linux kernel before 2.6.37-rc2 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory by reading a copy of this structure.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Unspecified vulnerability in the CORBA component in Oracle Java SE and Java for Business 6 Update 21 and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this involves the use of the privileged accept method in the ServerSocket class, which does not limit which hosts can connect and allows remote attackers to bypass intended network access restrictions.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0gnutls_cipher.c in libgnutls in GnuTLS before 2.12.17 and 3.x before 3.0.15 does not properly handle data encrypted with a block cipher, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) via a crafted record, as demonstrated by a crafted GenericBlockCipher structure.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0Multiple integer signedness errors in the TIPC implementation in the Linux kernel before 2.6.36.2 allow local users to gain privileges via a crafted sendmsg call that triggers a heap-based buffer overflow, related to the tipc_msg_build function in net/tipc/msg.c and the verify_iovec function in net/core/iovec.c.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21 allows remote attackers to affect confidentiality via unknown vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5Integer overflow in the _ctl_do_mpt_command function in drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel 2.6.38 and earlier might allow local users to gain privileges or cause a denial of service (memory corruption) via an ioctl call specifying a crafted value that triggers a heap-based buffer overflow.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1Multiple buffer overflows in net/wireless/nl80211.c in the Linux kernel before 2.6.39.2 allow local users to gain privileges by leveraging the CAP_NET_ADMIN capability during scan operations with a long SSID value.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Unspecified vulnerability in the Deployment component in Oracle Java SE and Java for Business 6 Update 21 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the January 2011 CPU. Oracle has not commented on claims from a reliable third party coordinator that the ActiveX Plugin does not properly initialize an object field that is used as a window handle, which allows attackers to execute arbitrary code.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1Heap-based buffer overflow in the is_gpt_valid function in fs/partitions/efi.c in the Linux kernel 2.6.38 and earlier allows physically proximate attackers to cause a denial of service (OOPS) or possibly have unspecified other impact via a crafted size of the EFI GUID partition-table header on removable media.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The sctp_rcv_ootb function in the SCTP implementation in the Linux kernel before 2.6.23 allows remote attackers to cause a denial of service (infinite loop) via (1) an Out Of The Blue (OOTB) chunk or (2) a chunk of zero length.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1Integer overflow in the _ctl_do_mpt_command function in drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel 2.6.38 and earlier might allow local users to gain privileges or cause a denial of service (memory corruption) via an ioctl call specifying a crafted value that triggers a heap-based buffer overflow.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The snd_hdsp_hwdep_ioctl function in sound/pci/rme9652/hdsp.c in the Linux kernel before 2.6.36-rc6 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via an SNDRV_HDSP_IOCTL_GET_CONFIG_INFO ioctl call.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The do_replace function in net/bridge/netfilter/ebtables.c in the Linux kernel before 2.6.39 does not ensure that a certain name field ends with a '\0' character, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_ADMIN capability to replace a table, and then reading a modprobe command line.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows remote attackers to affect availability, related to XML Digital Signature and unspecified APIs. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue involves the replacement of the "XML DSig Transform or C14N algorithm implementations."Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0fs/cifs/cifssmb.c in the CIFS implementation in the Linux kernel before 2.6.34-rc4 allows remote attackers to cause a denial of service (panic) via an SMB response packet with an invalid CountHigh value, as demonstrated by a response from an OS/2 server, related to the CIFSSMBWrite and CIFSSMBWrite2 functions.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1OpenSSL before 1.0.0c, when J-PAKE is enabled, does not properly validate the public parameters in the J-PAKE protocol, which allows remote attackers to bypass the need for knowledge of the shared secret, and successfully authenticate, by sending crafted values in each round of the protocol.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1Eval injection vulnerability in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Unspecified vulnerability in the Java Naming and Directory Interface (JNDI) component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this allows remote attackers to determine internal IP addresses or "otherwise-protected internal network names."Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is a race condition related to deserialization.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with "recycling of a buffer."Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware hosted product updates, ESX patches and VI Client update resolve multiple security issuesVMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Workstation 7.1.x before 7.1.4, VMware Player 3.1.x before 3.1.4, VMware Fusion 3.1.x before 3.1.3, VMware ESXi 3.5 through 4.1, and VMware ESX 3.0.3 through 4.1, when a Solaris or FreeBSD guest OS is used, allows guest OS users to modify arbitrary guest OS files via unspecified vectors, related to a "procedural error."Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0net/ipv4/inet_diag.c in the Linux kernel before 2.6.37-rc2 does not properly audit INET_DIAG bytecode, which allows local users to cause a denial of service (kernel infinite loop) via crafted INET_DIAG_REQ_BYTECODE instructions in a netlink message that contains multiple attribute elements, as demonstrated by INET_DIAG_BC_JMP instructions.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The wake_futex_pi function in kernel/futex.c in the Linux kernel before 2.6.33-rc7 does not properly handle certain unlock operations for a Priority Inheritance (PI) futex, which allows local users to cause a denial of service (OOPS) and possibly have unspecified other impact via vectors involving modification of the futex value from user space.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 does not initialize a certain response buffer, which allows local users to obtain potentially sensitive information from kernel memory via vectors that cause this buffer to be only partially filled, a different vulnerability than CVE-2010-4649.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The Linux kernel before 2.6.32.4 allows local users to gain privileges or cause a denial of service (panic) by calling the (1) mmap or (2) mremap function, aka the "do_mremap() mess" or "mremap/mmap mess."Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1net/ipv4/netfilter/ip_tables.c in the IPv4 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The agp_generic_remove_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 does not validate a certain start parameter, which allows local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_UNBIND agp_ioctl ioctl call, a different vulnerability than CVE-2011-1745.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is heap corruption related to the Verifier and "backward jsrs."Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The rds_page_copy_user function in net/rds/page.c in the Reliable Datagram Sockets (RDS) protocol implementation in the Linux kernel before 2.6.36 does not properly validate addresses obtained from user space, which allows local users to gain privileges via crafted use of the sendmsg and recvmsg system calls.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The task_show_regs function in arch/s390/kernel/traps.c in the Linux kernel before 2.6.38-rc4-next-20110216 on the s390 platform allows local users to obtain the values of the registers of an arbitrary process by reading a status file under /proc/.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Double free vulnerability in the ssl3_get_key_exchange function in the OpenSSL client (ssl/s3_clnt.c) in OpenSSL 1.0.0a, 0.9.8, 0.9.7, and possibly other versions, when using ECDH, allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted private key with an invalid prime. NOTE: some sources refer to this as a use-after-free issue.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The sctp_process_unk_param function in net/sctp/sm_make_chunk.c in the Linux kernel 2.6.33.3 and earlier, when SCTP is enabled, allows remote attackers to cause a denial of service (system crash) via an SCTPChunkInit packet containing multiple invalid parameters that require a large amount of error data.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm.VMWare ESX Server 4.1VMWare ESX Server 4.0The extension parser in slp_v2message.c in OpenSLP 1.2.1, and other versions before SVN revision 1647, as used in Service Location Protocol daemon (SLPD) in VMware ESX 4.0 and 4.1 and ESXi 4.0 and 4.1, allows remote attackers to cause a denial of service (infinite loop) via a packet with a "next extension offset" that references this extension or a previous extension. NOTE: some of these details are obtained from third party information.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to a calculation error in right-to-left text character counts for the ICU OpenType font rendering implementation, which triggers an out-of-bounds memory access.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The get_free_port function in Xen allows local authenticated DomU users to cause a denial of service or possibly gain privileges via unspecified vectors involving a new event channel port.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel 2.6.38 and earlier does not validate (1) length and (2) offset values before performing memory copy operations, which might allow local users to gain privileges, cause a denial of service (memory corruption), or obtain sensitive information from kernel memory via a crafted ioctl call, related to the _ctl_do_mpt_command and _ctl_diag_read_buffer functions.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The compat_alloc_user_space functions in include/asm/compat.h files in the Linux kernel before 2.6.36-rc4-git2 on 64-bit platforms do not properly allocate the userspace memory required for the 32-bit compatibility layer, which allows local users to gain privileges by leveraging the ability of the compat_mc_getsockopt function (aka the MCAST_MSFILTER getsockopt support) to control a certain length value, related to a "stack pointer underflow" issue, as exploited in the wild in September 2010.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1Integer overflow in the ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large value of a certain structure member.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0drivers/connector/connector.c in the Linux kernel before 2.6.32.8 allows local users to cause a denial of service (memory consumption and system crash) by sending the kernel many NETLINK_CONNECTOR messages.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The uart_get_count function in drivers/serial/serial_core.c in the Linux kernel before 2.6.37-rc1 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The nfs_wait_on_request function in fs/nfs/pagelist.c in Linux kernel 2.6.x through 2.6.33-rc5 allows attackers to cause a denial of service (Oops) via unknown vectors related to truncating a file and an operation that is not interruptible.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere security updates for the authentication service and third party librariesVMWare ESX Server 4.1Off-by-one error in libxml2, as used in Google Chrome before 19.0.1084.46 and other products, allows remote attackers to cause a denial of service (out-of-bounds write) or possibly have unspecified other impact via unknown vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0Integer overflow in the ioc_general function in drivers/scsi/gdth.c in the Linux kernel before 2.6.36.1 on 64-bit platforms allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large argument in an ioctl call.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0ld.so in the GNU C Library (aka glibc or libc6) 2.13 and earlier expands the $ORIGIN dynamic string token when RPATH is composed entirely of this token, which might allow local users to gain privileges by creating a hard link in an arbitrary directory to a (1) setuid or (2) setgid program with this RPATH value, and then executing the program with a crafted value for the LD_PRELOAD environment variable, a different vulnerability than CVE-2010-3847 and CVE-2011-0536. NOTE: it is not expected that any standard operating-system distribution would ship an applicable setuid or setgid program.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Windows, Solaris, and, Linux; 5.0 Update 27 and earlier for Windows; and 1.4.2_29 and earlier for Windows allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Deployment.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The ULE decapsulation functionality in drivers/media/dvb/dvb-core/dvb_net.c in dvb-core in Linux kernel 2.6.33 and earlier allows attackers to cause a denial of service (infinite loop) via a crafted MPEG2-TS frame, related to an invalid Payload Pointer ULE.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1Double free vulnerability in OpenSSL 0.9.8 before 0.9.8s, when X509_V_FLAG_POLICY_CHECK is enabled, allows remote attackers to have an unspecified impact by triggering failure of a policy check.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The cxgb_extension_ioctl function in drivers/net/cxgb3/cxgb3_main.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a CHELSIO_GET_QSET_NUM ioctl call.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The xfs_swapext function in fs/xfs/xfs_dfrag.c in the Linux kernel before 2.6.35 does not properly check the file descriptors passed to the SWAPEXT ioctl, which allows local users to leverage write access and obtain read access by swapping one file into another file.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1The addmntent function in the GNU C Library (aka glibc or libc6) 2.13 and earlier does not report an error status for failed attempts to write to the /etc/mtab file, which makes it easier for local users to trigger corruption of this file, as demonstrated by writes from a process with a small RLIMIT_FSIZE value, a different vulnerability than CVE-2010-0296.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.0VMWare ESX Server 4.1Unspecified vulnerability in the CORBA component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to "permissions granted to certain system objects."Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0fs/exec.c in the Linux kernel before 2.6.37 does not enable the OOM Killer to assess use of stack memory by arrays representing the (1) arguments and (2) environment, which allows local users to cause a denial of service (memory consumption) via a crafted exec system call, aka an "OOM dodging issue," a related issue to CVE-2010-3858.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0gfs2 in the Linux kernel 2.6.18, and possibly other versions, does not properly handle when the gfs2_quota struct occupies two separate pages, which allows local users to cause a denial of service (kernel panic) via certain manipulations that cause an out-of-bounds write, as demonstrated by writing from an ext3 file system to a gfs2 file system.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware Workstation, Player, ESXi and ESX patches address critical security issuesVMWare ESX Server 4.1The VMX process in VMware ESXi 4.1 and ESX 4.1 does not properly handle RPC commands, which allows guest OS users to cause a denial of service (memory overwrite and process crash) or possibly execute arbitrary code on the host OS via vectors involving function pointers.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The headerVerifyInfo function in lib/header.c in RPM before 4.9.1.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a negative value in a region offset of a package header, which is not properly handled in a numeric range comparison.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi and ESX address several security issuesVMWare ESX Server 4.0VMWare ESX Server 4.1Apache Tomcat 5.5.x before 5.5.35, 6.x before 6.0.34, and 7.x before 7.0.23 uses an inefficient approach for handling parameters, which allows remote attackers to cause a denial of service (CPU consumption) via a request that contains many parameters and parameter values, a different vulnerability than CVE-2011-4858.Merryl DMelloDRAFTINTERIMChris CoffinACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is a double free vulnerability in IndexColorModel that allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere, ESX and ESXi updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0libxml2 2.9.0 and earlier allows context-dependent attackers to cause a denial of service (CPU and memory consumption) via an XML file containing an entity declaration with long replacement text and many references to this entity, aka "internal entity expansion" with linear complexity.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The backend driver in Xen 3.x allows guest OS users to cause a denial of service via a kernel thread leak, which prevents the device and guest OS from being shut down or create a zombie domain, causes a hang in zenwatch, or prevents unspecified xm commands from working properly, related to (1) netback, (2) blkback, or (3) blktap.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1Integer overflow in the __tzfile_read function in glibc before 2.15 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted timezone (TZ) file, as demonstrated using vsftpd.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware security updates for vSphere API and ESX Service ConsoleVMWare ESX Server 4.1The vSphere API in VMware ESXi 4.1 and ESX 4.1 allows remote attackers to cause a denial of service (host daemon crash) via an invalid value in a (1) RetrieveProp or (2) RetrievePropEx SOAP request.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The is_gpt_valid function in fs/partitions/efi.c in the Linux kernel before 2.6.39 does not check the size of an Extensible Firmware Interface (EFI) GUID Partition Table (GPT) entry, which allows physically proximate attackers to cause a denial of service (heap-based buffer overflow and OOPS) or obtain sensitive information from kernel heap memory by connecting a crafted GPT storage device, a different vulnerability than CVE-2011-1577.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX Denial of Service and third party updates for Likewise components and ESX Service ConsoleVMWare ESX Server 4.1The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 does not properly restrict the use of TGT credentials for armoring TGS requests, which might allow remote authenticated users to impersonate a client by rewriting an inner request, aka a "KrbFastReq forgery issue."Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The hci_uart_tty_open function in the HCI UART driver (drivers/bluetooth/hci_ldisc.c) in the Linux kernel 2.6.36, and possibly other versions, does not verify whether the tty has a write operation, which allows local users to cause a denial of service (NULL pointer dereference) via vectors related to the Bluetooth driver.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX Denial of Service and third party updates for Likewise components and ESX Service ConsoleVMWare ESX Server 4.1The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (NULL pointer dereference or buffer over-read, and daemon crash) via a crafted principal name.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The do_block_io_op function in (1) drivers/xen/blkback/blkback.c and (2) drivers/xen/blktap/blktap.c in Xen before 3.4.0 for the Linux kernel 2.6.18, and possibly other versions, allows guest OS users to cause a denial of service (infinite loop and CPU consumption) via a large production request index to the blkback or blktap back-end drivers. NOTE: some of these details are obtained from third party information.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Deployment.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The sctp_packet_config function in net/sctp/output.c in the Linux kernel before 2.6.35.6 performs extraneous initializations of packet data structures, which allows remote attackers to cause a denial of service (panic) via a certain sequence of SCTP traffic.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The io_submit_one function in fs/aio.c in the Linux kernel before 2.6.23 allows local users to cause a denial of service (NULL pointer dereference) via a crafted io_submit system call with an IOCB_FLAG_RESFD flag.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere security updates for the authentication service and third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5VMware vCenter Server 4.0 before Update 4b and 4.1 before Update 3a, VMware VirtualCenter 2.5, VMware vSphere Client 4.0 before Update 4b and 4.1 before Update 3a, VMware VI-Client 2.5, VMware ESXi 3.5 through 4.1, and VMware ESX 3.5 through 4.1 do not properly implement the management authentication protocol, which allow remote servers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.0VMWare ESX Server 4.1Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is an HTTP request splitting vulnerability involving the handling of the chunked transfer encoding method by the HttpURLConnection class.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1Integer overflow in the vfprintf function in stdio-common/vfprintf.c in glibc 2.14 and other versions allows context-dependent attackers to bypass the FORTIFY_SOURCE protection mechanism, conduct format string attacks, and write to arbitrary memory via a large number of arguments.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX Denial of Service and third party updates for Likewise components and ESX Service ConsoleVMWare ESX Server 4.1MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to forge GSS tokens, gain privileges, or have unspecified other impact via (1) an unkeyed checksum, (2) an unkeyed PAC checksum, or (3) a KrbFastArmoredReq checksum based on an RC4 key.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update and 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow that leads to a buffer overflow via a crafted devs (device information) tag structure in a color profile.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The tcf_act_police_dump function in net/sched/act_police.c in the actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc4 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel memory via vectors involving a dump operation. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-2942.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0Integer overflow in the ext4_ext_get_blocks function in fs/ext4/extents.c in the Linux kernel before 2.6.34 allows local users to cause a denial of service (BUG and system crash) via a write operation on the last block of a large file, followed by a sync operation.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Unspecified vulnerability in the New Java Plug-in component in Oracle Java SE and Java for Business 6 Update 21 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware Workstation, Fusion, ESXi and ESX patches address a guest privilege escalationVMWare ESX Server 4.1VMWare ESX Server 4.0lgtosync.sys in VMware Workstation 9.x before 9.0.3, VMware Player 5.x before 5.0.3, VMware Fusion 5.x before 5.0.4, VMware ESXi 4.0 through 5.1, and VMware ESX 4.0 and 4.1, when a 32-bit Windows guest OS is used, allows guest OS users to gain guest OS privileges via an application that performs a crafted memory allocation.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm.VMWare ESX Server 4.1VMWare ESX Server 4.0named in ISC BIND 9.6.2 before 9.6.2-P3, 9.6-ESV before 9.6-ESV-R3, and 9.7.x before 9.7.2-P3 does not properly handle the combination of signed negative responses and corresponding RRSIG records in the cache, which allows remote attackers to cause a denial of service (daemon crash) via a query for cached data.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1net/ipv6/netfilter/ip6_tables.c in the IPv6 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the Java Runtime Environment component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this allows remote attackers to execute arbitrary code by causing the defaultReadObject method in the Serialization API to set a volatile field multiple times.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0Integer overflow in the rds_rdma_pages function in net/rds/rdma.c in the Linux kernel allows local users to cause a denial of service (crash) and possibly execute arbitrary code via a crafted iovec struct in a Reliable Datagram Sockets (RDS) request, which triggers a buffer overflow.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1Race condition in the cm_work_handler function in the InfiniBand driver (drivers/infiniband/core/cma.c) in Linux kernel 2.6.x allows remote attackers to cause a denial of service (panic) by sending an InfiniBand request while other request handlers are still running, which triggers an invalid pointer dereference.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The copy_shmid_to_user function in ipc/shm.c in the Linux kernel before 2.6.37-rc1 does not initialize a certain structure, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the shmctl system call and the "old shm interface."Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1Integer overflow in the agp_generic_insert_memory function in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 allows local users to gain privileges or cause a denial of service (system crash) via a crafted AGPIOC_BIND agp_ioctl ioctl call.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long UTF8 string that is used in an fnmatch call with a crafted pattern argument, a different vulnerability than CVE-2011-1071.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX Denial of Service and third party updates for Likewise components and ESX Service ConsoleVMWare ESX Server 4.1lsassd in Likewise Open /Enterprise 5.3 before build 7845, Open 6.0 before build 8325, and Enterprise 6.0 before build 178, as distributed in VMware ESXi 4.1 and ESX 4.1 and possibly other products, allows remote attackers to cause a denial of service (daemon crash) via an Active Directory login attempt that provides a username containing an invalid byte sequence.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The bluetooth subsystem in the Linux kernel before 3.0-rc4 does not properly initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel memory via a crafted getsockopt system call, related to (1) the l2cap_sock_getsockopt_old function in net/bluetooth/l2cap_sock.c and (2) the rfcomm_sock_getsockopt_old function in net/bluetooth/rfcomm/sock.c.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1Xen in the Linux kernel, when running a guest on a host without hardware assisted paging (HAP), allows guest users to cause a denial of service (invalid pointer dereference and hypervisor crash) via the SAHF instruction.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Multiple race conditions in ssl/t1_lib.c in OpenSSL 0.9.8f through 0.9.8o, 1.0.0, and 1.0.0a, when multi-threading and internal caching are enabled on a TLS server, might allow remote attackers to execute arbitrary code via client data that triggers a heap-based buffer overflow, related to (1) the TLS server name extension and (2) elliptic curve cryptography.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The socket implementation in net/core/sock.c in the Linux kernel before 2.6.34 does not properly manage a backlog of received packets, which allows remote attackers to cause a denial of service (memory consumption) by sending a large amount of network traffic, as demonstrated by netperf UDP tests.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC (EGLIBC) allow context-dependent attackers to execute arbitrary code or cause a denial of service (memory consumption) via a long UTF8 string that is used in an fnmatch call, aka a "stack extension attack," a related issue to CVE-2010-2898, CVE-2010-1917, and CVE-2007-4782, as originally reported for use of this library by Google Chrome.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The azx_position_ok function in hda_intel.c in Linux kernel 2.6.33-rc4 and earlier, when running on the AMD780V chip set, allows context-dependent attackers to cause a denial of service (crash) via unknown manipulations that trigger a divide-by-zero error.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.0VMWare ESX Server 4.1Unspecified vulnerability in the Sound component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this involves an incorrect sign extension in the HeadspaceSoundbank.nGetName function, which allows attackers to execute arbitrary code via a crafted BANK record that leads to a buffer overflow.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0fs/namei.c in Linux kernel 2.6.18 through 2.6.34 does not always follow NFS automount "symlinks," which allows attackers to have an unknown impact, related to LOOKUP_FOLLOW.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1VMWare ESX Server 4.0The is_cgi method in CGIHTTPServer.py in the CGIHTTPServer module in Python 2.5, 2.6, and 3.0 allows remote attackers to read script source code via an HTTP GET request that lacks a / (slash) character at the beginning of the URI.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX security update for third party libraryVMWare ESX Server 4.1VMWare ESX Server 4.0Heap-based buffer underflow in the xmlParseAttValueComplex function in parser.c in libxml2 2.9.0 and earlier, as used in Google Chrome before 23.0.1271.91 and other products, allows remote attackers to cause a denial of service or possibly execute arbitrary code via crafted entities in an XML document.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0Buffer overflow in the mac_partition function in fs/partitions/mac.c in the Linux kernel before 2.6.37.2 allows local users to cause a denial of service (panic) or possibly have unspecified other impact via a malformed Mac OS partition table.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1The DTLS implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f performs a MAC check only if certain padding is valid, which makes it easier for remote attackers to recover plaintext via a padding oracle attack.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0RPM before 4.9.1.3 does not properly validate region tags, which allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via an invalid region tag in a package header to the (1) headerLoad, (2) rpmReadSignature, or (3) headerVerify function.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1VMWare ESX Server 4.0Cross-site scripting (XSS) vulnerability in the chg_passwd function in web/swat.c in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allows remote authenticated administrators to inject arbitrary web script or HTML via the username parameter to the passwd program (aka the user field to the Change Password page).Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5drivers/scsi/mpt2sas/mpt2sas_ctl.c in the Linux kernel 2.6.38 and earlier does not validate (1) length and (2) offset values before performing memory copy operations, which might allow local users to gain privileges, cause a denial of service (memory corruption), or obtain sensitive information from kernel memory via a crafted ioctl call, related to the _ctl_do_mpt_command and _ctl_diag_read_buffer functions.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The Network Lock Manager (NLM) protocol implementation in the NFS client functionality in the Linux kernel before 3.0 allows local users to cause a denial of service (system hang) via a LOCK_UN flock system call.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0ld.so in the GNU C Library (aka glibc or libc6) 2.13 and earlier expands the $ORIGIN dynamic string token when RPATH is composed entirely of this token, which might allow local users to gain privileges by creating a hard link in an arbitrary directory to a (1) setuid or (2) setgid program with this RPATH value, and then executing the program with a crafted value for the LD_PRELOAD environment variable, a different vulnerability than CVE-2010-3847 and CVE-2011-0536. NOTE: it is not expected that any standard operating-system distribution would ship an applicable setuid or setgid program.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Multiple buffer overflows in fs/nfsd/nfs4xdr.c in the XDR implementation in the NFS server in the Linux kernel before 2.6.34-rc6 allow remote attackers to cause a denial of service (panic) or possibly execute arbitrary code via a crafted NFSv4 compound WRITE request, related to the read_buf and nfsd4_decode_compound functions.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware security updates for vSphere API and ESX Service ConsoleVMWare ESX Server 4.1The XML parser (xmlparse.c) in expat before 2.1.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via an XML file with many identifiers with the same value.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The encode_name macro in misc/mntent_r.c in the GNU C Library (aka glibc or libc6) 2.11.1 and earlier, as used by ncpmount and mount.cifs, does not properly handle newline characters in mountpoint names, which allows local users to cause a denial of service (mtab corruption), or possibly modify mount options and gain privileges, via a crafted mount request.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1The SSL 3.0 implementation in OpenSSL before 0.9.8s and 1.x before 1.0.0f does not properly initialize data structures for block cipher padding, which might allow remote attackers to obtain sensitive information by decrypting the padding data sent by an SSL peer.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere updates address multiple vulnerabilitiesVMWare ESX Server 4.1VMWare ESX Server 4.0hostd-vmdb in VMware ESXi 4.0 through 5.0 and ESX 4.0 through 4.1 allows remote attackers to cause a denial of service (hostd-vmdb service outage) by modifying management traffic.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Integer overflow in httpAdapter.c in httpAdapter in SBLIM SFCB 1.3.4 through 1.3.7, when the configuration sets httpMaxContentLength to a zero value, allows remote attackers to cause a denial of service (heap memory corruption) or possibly execute arbitrary code via a large integer in the Content-Length HTTP header, aka bug #3001915. NOTE: some of these details are obtained from third party information.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0net/packet/af_packet.c in the Linux kernel before 2.6.37-rc2 does not properly initialize certain structure members, which allows local users to obtain potentially sensitive information from kernel stack memory by leveraging the CAP_NET_RAW capability to read copies of the applicable structures.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The sk_run_filter function in net/core/filter.c in the Linux kernel before 2.6.36.2 does not check whether a certain memory location has been initialized before executing a (1) BPF_S_LD_MEM or (2) BPF_S_LDX_MEM instruction, which allows local users to obtain potentially sensitive information from kernel stack memory via a crafted socket filter.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The xfs implementation in the Linux kernel before 2.6.35 does not look up inode allocation btrees before reading inode buffers, which allows remote authenticated users to read unlinked files, or read or overwrite disk blocks that are currently assigned to an active file but were previously assigned to an unlinked file, by accessing a stale NFS filehandle.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0include/asm-x86/futex.h in the Linux kernel before 2.6.25 does not properly implement exception fixup, which allows local users to cause a denial of service (panic) via an invalid application that triggers a page fault.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, and 5.0 Update 27 and earlier, allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality and integrity via unknown vectors related to JDBC.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere security updates for the authentication service and third party librariesVMWare ESX Server 4.1libxslt, as used in Google Chrome before 17.0.963.46, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC (EGLIBC) allow context-dependent attackers to execute arbitrary code or cause a denial of service (memory consumption) via a long UTF8 string that is used in an fnmatch call, aka a "stack extension attack," a related issue to CVE-2010-2898, CVE-2010-1917, and CVE-2007-4782, as originally reported for use of this library by Google Chrome.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware security updates for vSphere API and ESX Service ConsoleVMWare ESX Server 4.1Memory leak in the poolGrow function in expat/lib/xmlparse.c in expat before 2.1.0 allows context-dependent attackers to cause a denial of service (memory consumption) via a large number of crafted XML files that cause improperly-handled reallocation failures when expanding entities.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0Buffer overflow in the gnutls_session_get_data function in lib/gnutls_session.c in GnuTLS 2.12.x before 2.12.14 and 3.x before 3.0.7, when used on a client that performs nonstandard session resumption, allows remote TLS servers to cause a denial of service (application crash) via a large SessionTicket.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX, Workstation, Fusion, and View VMCI privilege escalation vulnerabilityVMWare ESX Server 4.1VMWare ESX Server 4.0The Virtual Machine Communication Interface (VMCI) implementation in vmci.sys in VMware Workstation 8.x before 8.0.5 and 9.x before 9.0.1 on Windows, VMware Fusion 4.1 before 4.1.4 and 5.0 before 5.0.2, VMware View 4.x before 4.6.2 and 5.x before 5.1.2 on Windows, VMware ESXi 4.0 through 5.1, and VMware ESX 4.0 and 4.1 does not properly restrict memory allocation by control code, which allows local users to gain privileges via unspecified vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The install_special_mapping function in mm/mmap.c in the Linux kernel before 2.6.37-rc6 does not make an expected security_file_mmap function call, which allows local users to bypass intended mmap_min_addr restrictions and possibly conduct NULL pointer dereference attacks via a crafted assembly-language application.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1OpenSSL 0.9.8s and 1.0.0f does not properly support DTLS applications, which allows remote attackers to cause a denial of service (crash) via unspecified vectors related to an out-of-bounds read. NOTE: this vulnerability exists because of an incorrect fix for CVE-2011-4108.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm.VMWare ESX Server 4.1VMWare ESX Server 4.0named in ISC BIND 9.x before 9.6.2-P3, 9.7.x before 9.7.2-P3, 9.4-ESV before 9.4-ESV-R4, and 9.6-ESV before 9.6-ESV-R3 does not properly determine the security status of an NS RRset during a DNSKEY algorithm rollover, which might allow remote attackers to cause a denial of service (DNSSEC validation error) by triggering a rollover.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware hosted product updates, ESX patches and VI Client update resolve multiple security issuesVMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5Race condition in mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Workstation 7.1.x before 7.1.4, VMware Player 3.1.x before 3.1.4, VMware Fusion 3.1.x before 3.1.3, VMware ESXi 3.5 through 4.1, and VMware ESX 3.0.3 through 4.1 allows guest OS users to gain privileges on the guest OS by mounting a filesystem on top of an arbitrary directory.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.0VMWare ESX Server 4.1Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to the modification of "behavior and state of certain JDK classes" and "mutable static."Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware security updates for vSphere API and ESX Service ConsoleVMWare ESX Server 4.1ISC BIND 9.4.x, 9.5.x, 9.6.x, and 9.7.x before 9.7.6-P2; 9.8.x before 9.8.3-P2; 9.9.x before 9.9.1-P2; and 9.6-ESV before 9.6-ESV-R7-P2, when DNSSEC validation is enabled, does not properly initialize the failing-query cache, which allows remote attackers to cause a denial of service (assertion failure and daemon exit) by sending many queries.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The mext_check_arguments function in fs/ext4/move_extent.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a MOVE_EXT ioctl call that specifies this file as a donor.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1kernel/signal.c in the Linux kernel before 2.6.39 allows local users to spoof the uid and pid of a signal sender via a sigqueueinfo system call.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX Denial of Service and third party updates for Likewise components and ESX Service ConsoleVMWare ESX Server 4.1MIT Kerberos 5 (aka krb5) 1.8.x through 1.8.3 does not reject RC4 key-derivation checksums, which might allow remote authenticated users to forge a (1) AD-SIGNEDPATH or (2) AD-KDC-ISSUED signature, and possibly gain privileges, by leveraging the small key space that results from certain one-byte stream-cipher operations.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc, sudo, and openldapVMWare ESX Server 4.1VMWare ESX Server 4.0ld.so in the GNU C Library (aka glibc or libc6) before 2.11.3, and 2.12.x before 2.12.2, does not properly restrict use of the LD_AUDIT environment variable to reference dynamic shared objects (DSOs) as audit objects, which allows local users to gain privileges by leveraging an unsafe DSO located in a trusted library directory, as demonstrated by libpcprofile.so.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The __nfs4_proc_set_acl function in fs/nfs/nfs4proc.c in the Linux kernel before 2.6.38 stores NFSv4 ACL data in memory that is allocated by kmalloc but not properly freed, which allows local users to cause a denial of service (panic) via a crafted attempt to set an ACL.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1pam_krb5 2.2.14 in Red Hat Enterprise Linux (RHEL) 5 and earlier, when the existing_ticket option is enabled, uses incorrect privileges when reading a Kerberos credential cache, which allows local users to gain privileges by setting the KRB5CCNAME environment variable to an arbitrary cache filename and running the (1) su or (2) sudo program. NOTE: there may be a related vector involving sshd that has limited relevance.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The vbd_create function in Xen 3.1.2, when the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 is used, allows guest OS users to cause a denial of service (host OS panic) via an attempted access to a virtual CD-ROM device through the blkback driver. NOTE: some of these details are obtained from third party information.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.0VMWare ESX Server 4.1Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that HttpURLConnection does not properly check for the allowHttpTrace permission, which allows untrusted code to perform HTTP TRACE requests.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1net/sctp/sm_make_chunk.c in the Linux kernel before 2.6.34, when addip_enable and auth_enable are used, does not consider the amount of zero padding during calculation of chunk lengths for (1) INIT and (2) INIT ACK chunks, which allows remote attackers to cause a denial of service (OOPS) via crafted packet data.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0net/core/ethtool.c in the Linux kernel before 2.6.36 does not initialize certain data structures, which allows local users to obtain potentially sensitive information from kernel heap memory by leveraging the CAP_NET_ADMIN capability for an ethtool ioctl call.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow in the color profile parser that allows remote attackers to execute arbitrary code via a crafted Tag structure in a color profile.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere, ESX and ESXi updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0Race condition in the ptrace functionality in the Linux kernel before 3.7.5 allows local users to gain privileges via a PTRACE_SETREGS ptrace system call in a crafted application, as demonstrated by ptrace_death.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX Denial of Service and third party updates for Likewise components and ESX Service ConsoleVMWare ESX Server 4.1VMWare ESX Server 4.0VMware ESXi 4.0 and 4.1 and ESX 4.0 and 4.1 allow remote attackers to cause a denial of service (socket exhaustion) via unspecified network traffic.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1** DISPUTED ** ldd in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows local users to gain privileges via a Trojan horse executable file linked with a modified loader that omits certain LD_TRACE_LOADED_OBJECTS checks. NOTE: the GNU C Library vendor states "This is just nonsense. There are a gazillion other ways to introduce code if people are downloading arbitrary binaries and install them in appropriate directories or set LD_LIBRARY_PATH etc."Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0Race condition in the __exit_signal function in kernel/exit.c in the Linux kernel before 2.6.37-rc2 allows local users to cause a denial of service via vectors related to multithreaded exec, the use of a thread group leader in kernel/posix-cpu-timers.c, and the selection of a new thread group leader in the de_thread function in fs/exec.c.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The udp_queue_rcv_skb function in net/ipv4/udp.c in a certain Red Hat build of the Linux kernel 2.6.18 in Red Hat Enterprise Linux (RHEL) 5 allows attackers to cause a denial of service (deadlock and system hang) by sending UDP traffic to a socket that has a crafted socket filter, a related issue to CVE-2010-4158.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi and ESX address several security issuesVMWare ESX Server 4.1VMWare ESX Server 4.0Buffer overflow in the XPDM display driver in VMware View before 4.6.1 allows guest OS users to gain guest OS privileges via unspecified vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The Transparent Inter-Process Communication (TIPC) functionality in Linux kernel 2.6.16-rc1 through 2.6.33, and possibly other versions, allows local users to cause a denial of service (kernel OOPS) by sending datagrams through AF_TIPC before entering network mode, which triggers a NULL pointer dereference.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.0VMWare ESX Server 4.1Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality via unknown vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.0VMWare ESX Server 4.1Unspecified vulnerability in the Swing component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to unsafe reflection involving the UIDefault.ProxyLazyValue class.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The do_pages_move function in mm/migrate.c in the Linux kernel before 2.6.33-rc7 does not validate node values, which allows local users to read arbitrary kernel memory locations, cause a denial of service (OOPS), and possibly have unspecified other impact by specifying a node that is not part of the kernel's node set.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The osf_partition function in fs/partitions/osf.c in the Linux kernel before 2.6.38 does not properly handle an invalid number of partitions, which might allow local users to obtain potentially sensitive information from kernel heap memory via vectors related to partition-table parsing.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1fs/proc/base.c in the Linux kernel before 2.6.39.4 does not properly restrict access to /proc/#####/io files, which allows local users to obtain sensitive I/O statistics by polling a file, as demonstrated by discovering the length of another user's password.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The (1) IPv4 and (2) IPv6 implementations in the Linux kernel before 3.1 use a modified MD4 algorithm to generate sequence numbers and Fragment Identification values, which makes it easier for remote attackers to cause a denial of service (disrupted networking) or hijack network sessions by predicting these values and sending crafted packets.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi and ESX address several security issuesVMWare ESX Server 4.1VMWare ESX Server 4.0Buffer overflow in the WDDM display driver in VMware ESXi 4.0, 4.1, and 5.0; VMware ESX 4.0 and 4.1; and VMware View before 4.6.1 allows guest OS users to gain guest OS privileges via unspecified vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm.VMWare ESX Server 4.1VMWare ESX Server 4.0The (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) before 1.1.2 use root privileges during read access to files and directories that belong to arbitrary user accounts, which might allow local users to obtain sensitive information by leveraging this filesystem activity, as demonstrated by a symlink attack on the .pam_environment file in a user's home directory.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1VMWare ESX Server 4.0RPM 4.4.x through 4.9.x, probably before 4.9.1.2, allows remote attackers to cause a denial of service (memory corruption) and possibly execute arbitrary code via an rpm package with crafted headers and offsets that are not properly handled when a package is queried or installed, related to (1) the regionSwab function, (2) the headerLoad function, and (3) multiple functions in rpmio/rpmpgp.c.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The fixup_page_fault function in arch/x86/traps.c in Xen 4.0.1 and earlier on 64-bit platforms, when paravirtualization is enabled, does not verify that kernel mode is used to call the handle_gdt_ldt_mapping_fault function, which allows guest OS users to cause a denial of service (host OS BUG_ON) via a crafted memory access.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, and 5.0 Update 27 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to 2D. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to the exposure of system properties via vectors related to Font.createFont and exception text.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.0VMWare ESX Server 4.1Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1Multiple integer overflows in the (1) agp_allocate_memory and (2) agp_create_user_memory functions in drivers/char/agp/generic.c in the Linux kernel before 2.6.38.5 allow local users to trigger buffer overflows, and consequently cause a denial of service (system crash) or possibly have unspecified other impact, via vectors related to calls that specify a large number of memory pages.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1Off-by-one error in the __addr_ok macro in Xen 3.3 and earlier allows local 64 bit PV guest administrators to cause a denial of service (host crash) via unspecified hypercalls that ignore virtual-address bits.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The actions implementation in the network queueing functionality in the Linux kernel before 2.6.36-rc2 does not properly initialize certain structure members when performing dump operations, which allows local users to obtain potentially sensitive information from kernel memory via vectors related to (1) the tcf_gact_dump function in net/sched/act_gact.c, (2) the tcf_mirred_dump function in net/sched/act_mirred.c, (3) the tcf_nat_dump function in net/sched/act_nat.c, (4) the tcf_simp_dump function in net/sched/act_simple.c, and (5) the tcf_skbedit_dump function in net/sched/act_skbedit.c.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 recognize a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1net/ipv4/netfilter/arp_tables.c in the IPv4 implementation in the Linux kernel before 2.6.39 does not place the expected '\0' character at the end of string data in the values of certain structure members, which allows local users to obtain potentially sensitive information from kernel memory by leveraging the CAP_NET_ADMIN capability to issue a crafted request, and then reading the argument to the resulting modprobe process.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1Xen, when using x86 Intel processors and the VMX virtualization extension is enabled, does not properly handle cpuid instruction emulation when exiting the VM, which allows local guest users to cause a denial of service (guest crash) via unspecified vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware hosted product updates, ESX patches and VI Client update resolve multiple security issuesVMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Workstation 7.1.x before 7.1.4, VMware Player 3.1.x before 3.1.4, VMware Fusion 3.1.x before 3.1.3, VMware ESXi 3.5 through 4.1, and VMware ESX 3.0.3 through 4.1 allows guest OS users to determine the existence of host OS files and directories via unspecified vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.0VMWare ESX Server 4.1Unspecified vulnerability in the Java Web Start component in Oracle Java SE and Java for Business 6 Update 21 and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1VMWare ESX Server 4.0The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The asn1_get_length_der function in decoding.c in GNU Libtasn1 before 2.12, as used in GnuTLS before 3.0.16 and other products, does not properly handle certain large length values, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly have unspecified other impact via a crafted ASN.1 structure.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The gfs2_fallocate function in fs/gfs2/file.c in the Linux kernel before 3.0-rc1 does not ensure that the size of a chunk allocation is a multiple of the block size, which allows local users to cause a denial of service (BUG and system crash) by arranging for all resource groups to have too little free space.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21 and 5.0 Update 25 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to missing validation of request headers in the HttpURLConnection class when they are set by applets, which allows remote attackers to bypass the intended security policy.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Unspecified vulnerability in the Deployment component in Oracle Java SE and Java for Business 6 Update 21 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is related to "how Web Start retrieves security policies," BasicServiceImpl, and forged policies that bypass sandbox restrictions.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The gfs2_dirent_find_space function in fs/gfs2/dir.c in the Linux kernel before 2.6.35 uses an incorrect size value in calculations associated with sentinel directory entries, which allows local users to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact by renaming a file in a GFS2 filesystem, related to the gfs2_rename function in fs/gfs2/ops_inode.c.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The load_elf_binary function in fs/binfmt_elf.c in the Linux kernel before 2.6.32.8 on the x86_64 platform does not ensure that the ELF interpreter is available before a call to the SET_PERSONALITY macro, which allows local users to cause a denial of service (system crash) via a 32-bit application that attempts to execute a 64-bit application and then triggers a segmentation fault, as demonstrated by amd64_killer, related to the flush_old_exec function.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The print_fatal_signal function in kernel/signal.c in the Linux kernel before 2.6.32.4 on the i386 platform, when print-fatal-signals is enabled, allows local users to discover the contents of arbitrary memory locations by jumping to an address and then reading a log file, and might allow local users to cause a denial of service (system slowdown or crash) by jumping to an address.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware Workstation, Player, ESXi and ESX patches address critical security issuesVMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5VMware ESXi 3.5 through 5.0 and ESX 3.5 through 4.1 allow remote attackers to execute arbitrary code or cause a denial of service (memory overwrite) via NFS traffic.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The div_long_long_rem implementation in include/asm-x86/div64.h in the Linux kernel before 2.6.26 on the x86 platform allows local users to cause a denial of service (Divide Error Fault and panic) via a clock_gettime system call.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0Buffer overflow in the ecryptfs_uid_hash macro in fs/ecryptfs/messaging.c in the eCryptfs subsystem in the Linux kernel before 2.6.35 might allow local users to gain privileges or cause a denial of service (system crash) via unspecified vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain checksums that (1) are unkeyed or (2) use RC4 keys.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0arch/x86/hvm/vmx/vmcs.c in the virtual-machine control structure (VMCS) implementation in the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5, when an Intel platform without Extended Page Tables (EPT) functionality is used, accesses VMCS fields without verifying hardware support for these fields, which allows local users to cause a denial of service (host OS crash) by requesting a VMCS dump for a fully virtualized Xen guest.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc, sudo, and openldapVMWare ESX Server 4.1VMWare ESX Server 4.0Sudo 1.7.0 through 1.7.4p3, when a Runas group is configured, does not properly handle use of the -u option in conjunction with the -g option, which allows local users to gain privileges via a command line containing a "-u root" sequence.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0locale/programs/locale.c in locale in the GNU C Library (aka glibc or libc6) before 2.13 does not quote its output, which might allow local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script that uses the eval function.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0Integer overflow in the do_io_submit function in fs/aio.c in the Linux kernel before 2.6.36-rc4-next-20100915 allows local users to cause a denial of service or possibly have unspecified other impact via crafted use of the io_submit system call.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the 2D component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, and 1.4.2_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow that triggers memory corruption via large values in a subsample of a JPEG image, related to JPEGImageWriter.writeImage in the imageio API.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0arch/ia64/xen/faults.c in Xen 3.4 and 4.0 in Linux kernel 2.6.18, and possibly other kernel versions, when running on IA-64 architectures, allows local users to cause a denial of service and "turn on BE by modifying the user mask of the PSR," as demonstrated via exploitation of CVE-2006-0742.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0Multiple integer overflows in the snd_ctl_new function in sound/core/control.c in the Linux kernel before 2.6.36-rc5-next-20100929 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a crafted (1) SNDRV_CTL_IOCTL_ELEM_ADD or (2) SNDRV_CTL_IOCTL_ELEM_REPLACE ioctl call.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The MMIO instruction decoder in the Xen hypervisor in the Linux kernel 2.6.18 in Red Hat Enterprise Linux (RHEL) 5 allows guest OS users to cause a denial of service (32-bit guest OS crash) via vectors that trigger an unspecified instruction emulation.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Deployment.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23, and, and earlier allows remote attackers to affect availability via unknown vectors related to JAXP and unspecified APIs. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is related to "Features set on SchemaFactory not inherited by Validator."Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm.VMWare ESX Server 4.1VMWare ESX Server 4.0ISC BIND before 9.7.2-P2, when DNSSEC validation is enabled, does not properly handle certain bad signatures if multiple trust anchors exist for a single zone, which allows remote attackers to cause a denial of service (daemon crash) via a DNS query.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The ipc subsystem in the Linux kernel before 2.6.37-rc1 does not initialize certain structures, which allows local users to obtain potentially sensitive information from kernel stack memory via vectors related to the (1) compat_sys_semctl, (2) compat_sys_msgctl, and (3) compat_sys_shmctl functions in ipc/compat.c; and the (4) compat_sys_mq_open and (5) compat_sys_mq_getsetattr functions in ipc/compat_mq.c.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Windows, when using Java Update, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The ip6_dst_lookup_tail function in net/ipv6/ip6_output.c in the Linux kernel before 2.6.27 does not properly handle certain circumstances involving an IPv6 TUN network interface and a large number of neighbors, which allows attackers to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via unknown vectors.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The igb_receive_skb function in drivers/net/igb/igb_main.c in the Intel Gigabit Ethernet (aka igb) subsystem in the Linux kernel before 2.6.34, when Single Root I/O Virtualization (SR-IOV) and promiscuous mode are enabled but no VLANs are registered, allows remote attackers to cause a denial of service (NULL pointer dereference and panic) and possibly have unspecified other impact via a VLAN tagged frame.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm.VMWare ESX Server 4.1VMWare ESX Server 4.0The run_coprocess function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) before 1.1.2 does not check the return values of the setuid, setgid, and setgroups system calls, which might allow local users to read arbitrary files by executing a program that relies on the pam_xauth PAM check.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5The do_anonymous_page function in mm/memory.c in the Linux kernel before 2.6.27.52, 2.6.32.x before 2.6.32.19, 2.6.34.x before 2.6.34.4, and 2.6.35.x before 2.6.35.2 does not properly separate the stack and the heap, which allows context-dependent attackers to execute arbitrary code by writing to the bottom page of a shared memory segment, as demonstrated by a memory-exhaustion attack against the X.Org X server.Merryl DMelloDRAFTINTERIMChris CoffinACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0Integer overflow in posix/fnmatch.c in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows context-dependent attackers to cause a denial of service (application crash) via a long UTF8 string that is used in an fnmatch call with a crafted pattern argument, a different vulnerability than CVE-2011-1071.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX Denial of Service and third party updates for Likewise components and ESX Service ConsoleVMWare ESX Server 4.1MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain checksums that (1) are unkeyed or (2) use RC4 keys.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere, ESX and ESXi updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The msr_open function in arch/x86/kernel/msr.c in the Linux kernel before 3.7.6 allows local users to bypass intended capability restrictions by executing a crafted application as root, as demonstrated by msr32.c.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The unparse implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (file descriptor exhaustion and daemon hang) via a principal name that triggers use of a backslash escape sequence, as demonstrated by a \n sequence.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1pam_krb5 2.2.14 through 2.3.4, as used in Red Hat Enterprise Linux (RHEL) 5, generates different password prompts depending on whether the user account exists, which allows remote attackers to enumerate valid usernames.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect integrity via unknown vectors related to Networking. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue involves "DNS cache poisoning by untrusted applets."Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The DNS resolution functionality in the CIFS implementation in the Linux kernel before 2.6.35, when CONFIG_CIFS_DFS_UPCALL is enabled, relies on a user's keyring for the dns_resolver upcall in the cifs.upcall userspace helper, which allows local users to spoof the results of DNS queries and perform arbitrary CIFS mounts via vectors involving an add_key call, related to a "cache stuffing" issue and MS-DFS referrals.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0The do_gfs2_set_flags function in fs/gfs2/file.c in the Linux kernel before 2.6.34-git10 does not verify the ownership of a file, which allows local users to bypass intended access restrictions via a SETFLAGS ioctl request.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Linux kernel 2.6.18 through 2.6.33, and possibly other versions, allows remote attackers to cause a denial of service (memory corruption) via a large number of Bluetooth sockets, related to the size of sysfs files in (1) net/bluetooth/l2cap.c, (2) net/bluetooth/rfcomm/core.c, (3) net/bluetooth/rfcomm/sock.c, and (4) net/bluetooth/sco.c.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc, sudo, and openldapVMWare ESX Server 4.1VMWare ESX Server 4.0elf/dl-load.c in ld.so in the GNU C Library (aka glibc or libc6) through 2.11.2, and 2.12.x through 2.12.1, does not properly handle a value of $ORIGIN for the LD_AUDIT environment variable, which allows local users to gain privileges via a crafted dynamic shared object (DSO) located in an arbitrary directory.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware security updates for vSphere API and ESX Service ConsoleVMWare ESX Server 4.1Python 2.6 through 3.2 creates ~/.pypirc with world-readable permissions before changing them after data has been written, which introduces a race condition that allows local users to obtain a username and password by reading this file.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Race condition in the find_keyring_by_name function in security/keys/keyring.c in the Linux kernel 2.6.34-rc5 and earlier allows local users to cause a denial of service (memory corruption and system crash) or possibly have unspecified other impact via keyctl session commands that trigger access to a dead keyring that is undergoing deletion by the key_cleanup function.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1VMWare ESX Server 4.0The add_del_listener function in kernel/taskstats.c in the Linux kernel 2.6.39.1 and earlier does not prevent multiple registrations of exit handlers, which allows local users to cause a denial of service (memory and CPU consumption), and bypass the OOM Killer, via a crafted application.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier for Solaris and Linux; 5.0 Update 27 and earlier for Solaris and Linux; and 1.4.2_29 and earlier for Solaris and Linux allows local standalone applications to affect confidentiality, integrity, and availability via unknown vectors related to Launcher. NOTE: the previous information was obtained from the February 2011 CPU. Oracle has not commented on claims from a downstream vendor that this issue is an untrusted search path vulnerability involving an empty LD_LIBRARY_PATH environment variable.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1Xen, possibly before 4.0.2, allows local 64-bit PV guests to cause a denial of service (host crash) by specifying user mode execution without user-mode pagetables.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1The SSL implementation in Mozilla Firefox before 3.5.14 and 3.6.x before 3.6.11, Thunderbird before 3.0.9 and 3.1.x before 3.1.5, and SeaMonkey before 2.0.9 does not properly set the minimum key length for Diffie-Hellman Ephemeral (DHE) mode, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via a brute-force attack.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware vSphere and vCOps updates to third party librariesVMWare ESX Server 4.1CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors related to non-whitespace characters preceded by newline characters, a different vulnerability than CVE-2010-2761 and CVE-2010-3172.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1VMWare ESX Server 4.0Multiple race conditions in smtpd.py in the smtpd module in Python 2.6, 2.7, 3.1, and 3.2 alpha allow remote attackers to cause a denial of service (daemon outage) by establishing and then immediately closing a TCP connection, leading to the accept function having an unexpected return value of None, an unexpected value of None for the address, or an ECONNABORTED, EAGAIN, or EWOULDBLOCK error, or the getpeername function having an ENOTCONN error, a related issue to CVE-2010-3492.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0OpenSSL before 0.9.8q, and 1.0.x before 1.0.0c, when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 21 through 6 Update 23 allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm.VMWare ESX Server 4.1VMWare ESX Server 4.0lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and RPM before 4.4.3, does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1VMWare ESX Server 4.0lib/fsm.c in RPM 4.8.0 and unspecified 4.7.x and 4.6.x versions, and RPM before 4.4.3, does not properly reset the metadata of an executable file during replacement of the file in an RPM package upgrade, which might allow local users to gain privileges by creating a hard link to a vulnerable (1) setuid or (2) setgid file.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1The xfs_fs_geometry function in fs/xfs/xfs_fsops.c in the Linux kernel before 2.6.38-rc6-git3 does not initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an FSGEOMETRY_V1 ioctl call.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESXi and ESX updates to third party library and ESX Service ConsoleVMWare ESX Server 4.1Multiple integer overflows in the next_pidmap function in kernel/pid.c in the Linux kernel before 2.6.38.4 allow local users to cause a denial of service (system crash) via a crafted (1) getdents or (2) readdir system call.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0net/bridge/netfilter/ebtables.c in the ebtables module in the netfilter framework in the Linux kernel before 2.6.33-rc4 does not require the CAP_NET_ADMIN capability for setting or modifying rules, which allows local users to bypass intended access restrictions and configure arbitrary network-traffic filtering via a modified ebtables application.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware third party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Unspecified vulnerability in the Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Sound and unspecified APIs.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware hosted product updates, ESX patches and VI Client update resolve multiple security issuesVMWare ESX Server 4.1VMWare ESX Server 4.0VMWare ESX Server 3.5drivers/net/e1000/e1000_main.c in the e1000 driver in the Linux kernel 2.6.32.3 and earlier handles Ethernet frames that exceed the MTU by processing certain trailing payload data as if it were a complete frame, which allows remote attackers to bypass packet filters via a large packet with a crafted payload. NOTE: this vulnerability exists because of an incorrect fix for CVE-2009-1385.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX Server 3.5.0 is installedVMware ESX Server 3.5The operating system installed on the system is VMware ESX Server 3.5.0.Pai PengDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0Multiple untrusted search path vulnerabilities in elf/dl-object.c in certain modified versions of the GNU C Library (aka glibc or libc6), including glibc-2.5-49.el5_5.6 and glibc-2.12-1.7.el6_0.3 in Red Hat Enterprise Linux, allow local users to gain privileges via a crafted dynamic shared object (DSO) in a subdirectory of the current working directory during execution of a (1) setuid or (2) setgid program that has $ORIGIN in (a) RPATH or (b) RUNPATH within the program itself or a referenced library. NOTE: this issue exists because of an incorrect fix for CVE-2010-3847.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The setup_arg_pages function in fs/exec.c in the Linux kernel before 2.6.36, when CONFIG_STACK_GROWSDOWN is used, does not properly restrict the stack memory consumption of the (1) arguments and (2) environment for a 32-bit application on a 64-bit platform, which allows local users to cause a denial of service (system crash) via a crafted exec system call, a related issue to CVE-2010-2240.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.1VMWare ESX Server 4.0Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The napi_reuse_skb function in net/core/dev.c in the Generic Receive Offload (GRO) implementation in the Linux kernel before 2.6.38 does not reset the values of certain structure members, which might allow remote attackers to cause a denial of service (NULL pointer dereference) via a malformed VLAN frame.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0Multiple untrusted search path vulnerabilities in elf/dl-object.c in certain modified versions of the GNU C Library (aka glibc or libc6), including glibc-2.5-49.el5_5.6 and glibc-2.12-1.7.el6_0.3 in Red Hat Enterprise Linux, allow local users to gain privileges via a crafted dynamic shared object (DSO) in a subdirectory of the current working directory during execution of a (1) setuid or (2) setgid program that has $ORIGIN in (a) RPATH or (b) RUNPATH within the program itself or a referenced library. NOTE: this issue exists because of an incorrect fix for CVE-2010-3847.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1VMWare ESX Server 4.0The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel before 2.6.38-rc2 does not check the sign of a certain integer field, which allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX/ESXi SLPD denial of service vulnerability and ESX third party updates for Service Console packages bind, pam, and rpm.VMWare ESX Server 4.1VMWare ESX Server 4.0pam_namespace.c in the pam_namespace module in Linux-PAM (aka pam) before 1.1.3 uses the environment of the invoking application or service during execution of the namespace.init script, which might allow local users to gain privileges by running a setuid program that relies on the pam_namespace PAM check, as demonstrated by the sudo program.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDThird party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESXVMWare ESX Server 4.0VMWare ESX Server 4.1Unspecified vulnerability in the Networking component in Oracle Java SE and Java for Business 6 Update 21, 5.0 Update 25, 1.4.2_27, and 1.3.1_28 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2010 CPU. Oracle has not commented on claims from a reliable downstream vendor that this is related to missing validation of request headers in the HttpURLConnection class when they are set by applets, which allows remote attackers to bypass the intended security policy.Merryl DMelloDRAFTINTERIMACCEPTEDACCEPTEDFirmware ESXi and ESX Denial of Service and third party updates for Likewise components and ESX Service ConsoleVMWare ESX Server 4.0VMWare ESX Server 4.1VMware ESXi 4.0 and 4.1 and ESX 4.0 and 4.1 allow remote attackers to cause a denial of service (socket exhaustion) via unspecified network traffic.Aslesha NargolkarDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX Server 4.0 is installedVMware ESX Server 4.0The operating system installed on the system is VMware ESX Server 4.0.Michael WoodDRAFTINTERIMACCEPTEDChris CoffinINTERIMACCEPTEDACCEPTEDVMSA-2011-0010 VMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.1Multiple untrusted search path vulnerabilities in elf/dl-object.c in certain modified versions of the GNU C Library (aka glibc or libc6), including glibc-2.5-49.el5_5.6 and glibc-2.12-1.7.el6_0.3 in Red Hat Enterprise Linux, allow local users to gain privileges via a crafted dynamic shared object (DSO) in a subdirectory of the current working directory during execution of a (1) setuid or (2) setgid program that has $ORIGIN in (a) RPATH or (b) RUNPATH within the program itself or a referenced library. NOTE: this issue exists because of an incorrect fix for CVE-2010-3847.Aslesha NargolkarDRAFTINTERIMACCEPTEDACCEPTEDVMSA-2011-0010 VMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.0VMWare ESX Server 4.1The GNU C Library (aka glibc or libc6) before 2.12.2 and Embedded GLIBC (EGLIBC) allow context-dependent attackers to execute arbitrary code or cause a denial of service (memory consumption) via a long UTF8 string that is used in an fnmatch call, aka a "stack extension attack," a related issue to CVE-2010-2898, CVE-2010-1917, and CVE-2007-4782, as originally reported for use of this library by Google Chrome.Aslesha NargolkarDRAFTINTERIMACCEPTEDACCEPTEDVMSA-2011-0010 VMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.0VMWare ESX Server 4.1dhclient in ISC DHCP 3.0.x through 4.2.x before 4.2.1-P1, 3.1-ESV before 3.1-ESV-R1, and 4.1-ESV before 4.1-ESV-R2 allows remote attackers to execute arbitrary commands via shell metacharacters in a hostname obtained from a DHCP message, as demonstrated by a hostname that is provided to dhclient-script.Aslesha NargolkarDRAFTINTERIMACCEPTEDACCEPTEDVMSA-2011-0010 VMware ESX third party updates for Service Console packages glibc and dhcpVMWare ESX Server 4.0VMWare ESX Server 4.1locale/programs/locale.c in locale in the GNU C Library (aka glibc or libc6) before 2.13 does not quote its output, which might allow local users to gain privileges via a crafted localization environment variable, in conjunction with a program that executes a script that uses the eval function.Aslesha NargolkarDRAFTINTERIMACCEPTEDACCEPTEDVMware ESX Server 4.1 is installedVMware ESX Server 4.1The operating system installed on the system is VMware ESX Server 4.1.Jonathan BakerDRAFTINTERIMACCEPTEDChandan M CINTERIMACCEPTEDACCEPTEDESX410-201410401-SGESX400-201410401-SGESX400-201310401-SGESX410-201312401-SGESX400-201305401-SGESX410-201304401-SGESX410-201307404-SGESX400-201310401-SGESX400-201305402-SGESX410-201301402-SGESX400-201209401-SGESX410-201208103-SGESX350-201302401-SGESX410-201301401-SGESX400-201302401-SGESX400-201203401-SGESX400-201310401-SGESX410-201307403-SGESX400-201203401-SGESX410-201201401-SGESX350-201203402-BGESX410-201211405-SGESX410-201110206-SGESX400-201203406-SGESX400-201206401-SGESX350-201206401-SGESX410-201206401-SGESX400-201206401-SGESX410-201206401-SGESX350-201206401-SGESX400-201203403-SGESX410-201201402-SGESX410-201101201-SGESX400-201203401-SGESX350-201203401-SGESX410-201205401-SGESX350-201205401-SGESX400-201205401-SGESX410-201110201-SGESX350-201205401-SGESX400-201105201-UGESX400-201103401-SGESX410-201101201-SGESX410-201301405-SGESX410-201201401-SGESX400-201209401-SGESX410-201208101-SGESX410-201307405-SGESX400-201310402-SGESX410-201211401-SGESX410-201104401-SGESX410-201301401-SGESX350-201302401-SGESX400-201302401-SGESX410-201301401-SGESX400-201305401-SGESX410-201101201-SGESX400-201103401-SGESX400-201305404-SGESX410-201304401-SGESX400-201209404-SGESX410-201208105-SGESX400-201203404-SGESX410-201201407-SGESX400-201110409-SGESX410-201110224-SGESX350-201203403-SGESX410-201107405-SGESX350-201203405-SGESX400-201110406-SGESX410-201307401-SGESX400-201305401-SGESX410-201110201-SGESX410-201301403-SGESX410-201211407-SGESX410-201211401-SGESX400-201302401-SGESX410-201208101-SGESX410-201211402-SGESX410-201104401-SGESX400-201104401-SGESX410-201208104-SGESX400-201110401-SGESX410-201110201-SGESX400-201104401-SGESX350-201105406-SGESX410-201104401-SGESX410-201208106-SGESX400-201209401-SGESX410-201205401-SGESX350-201205401-SGESX400-201205401-SGESX410-201104404-SGESX400-201101404-SGESX400-201209402-SGESX410-201208102-SGESX410-201104407-SGESX400-201103407-SGESX350-201105401-SGESX410-201104401-SGESX410-201307401-SGESX400-201310401-SGESX410-201110201-SGESX400-201110403-SGESX410-201101201-SGESX410-201101226-SGESX400-201101405-SGESX410-201211407-SGESX410-201208101-SGESX400-201209401-SGESX410-201110214-SGESX410-201208107-SGESX400-201203402-SGESX410-201201405-SGESX410-201110204-SGESX400-201203401-SGESX400-201103406-SGESX400-201203405-SGESX410-201201406-SGESX410-201201401-SGESX400-201103401-SGESX410-201101201-SGESX400-201111201-SGESX410-201110225-SGESX400-201110410-SGESX350-201105404-SGESX400-201110401-SGESX410-201110201-SGESX410-201101201-SGESX400-201103403-SGESX400-201110408-SGESX410-201107406-SGESX410-201110201-SGESX400-201110401-SGESX400-201103404-SGESX410-201110207-SGESX410-201110201-SGESX400-201103403-SGESX410-201104401-SGESX400-201104401-SG3.5.04.0.04.1.0